Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/18/2018
02:30 PM
Barak Perelman
Barak Perelman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Top 5 Security Threats & Mitigations for Industrial Networks

While vastly different than their IT counterparts, operational technology environments share common risks and best practices.

Our nation's critical infrastructure and the industrial control networks that manage them are under constant threat from a host of malicious actors — including nation-states, politically or financially motivated hackers, insiders, and disgruntled ex-employees.

Unfortunately, all industrial control system (ICS) networks share a common weakness: they were built before cyber threats existed and are not designed with built-in external security controls.

A breach of an ICS network can be disastrous and expensive. Consequences range from physical and environmental damage and costly downtime for manufacturing processes to putting lives at risk. In addition, a breach can bring heavy fines from regulators and lawsuits from parties claiming injury or damage, and it can also shake shareholder confidence.

Given these stakes, let's consider the five most common threats to ICS networks and how to reduce the risk associated with them.

Risk 1. Poor Network Configuration
The weaker the configuration, the greater the likelihood of a successful attack. For example, once a control device has been exposed to the Internet due to a poor configuration, both phases of a breach can occur — the attacker can gain a foothold in the network and exploit a sensitive asset.

Mitigation: ICS devices should never be directly connected to the Internet. Strict network segmentation should be implemented and the integrity of the network should never be sacrificed for the sake of convenience.

Risk 2: No Audit Trail
An audit trail is essential for understanding what's going on in any network. However, logging mechanisms in some ICS environments do not exist or are incomplete. In many cases, security teams lack the knowledge of operational technologies (OT) to know how to collect logs or where to look for them.

Mitigation: Basic record-keeping is crucial for both the incident response and the forensic investigation of an attack. It is also required for any type of regulatory compliance audit. This begins with understanding the limitations of the environment — what data is being monitored and collected, and what isn't. One hundred percent visibility, monitoring, and control should be the goal, including the collection and aggregation of all logs.

Most ICS networks have components that generate an audit trail, but too often these capabilities are underutilized. All incidents should be automatically reported to the security incident response team, logged, and correlated via a real-time audit mechanism.

Risk 3: Lack of Control
Many ICS environments do not have basic controls for managing assets that are considered table stakes in IT networks. As a result, security hygiene in OT networks is often an afterthought and lacking in the following ways:

  • Patches can't be easily deployed and usually aren't.
  • There's no centralized, up-to-date inventory of assets, configurations, software versions, patch levels, etc.
  • Internal security policies are not monitored or enforced.
  • The security model is based on a "if it works, better not mess with it" paradigm.

Mitigation: Implementing a centralized and automated asset management capability for OT networks is crucial. Without an up-to-date and accurate inventory of ICS assets, especially the controllers responsible for managing physical processes, it is virtually impossible to assess risks, apply patches, and detect unauthorized changes and activity.

Risk 4: Employee Ignorance
Just as in IT environments, employees pose a significant risk to OT network security. Phishing attacks, social engineering, and risky browsing behaviors all threaten to punch a hole that can be exploited by attackers to compromise the IT, OT or both networks via lateral movement.

Mitigation: Security training, network segmentation, and multifactor authentication can all help prevent breaches caused by employee lack of awareness, policy violations, or human error.

Risk 5: Insider Attacks
Insiders in OT environments pose the same security risk as in IT environments. The source can be malicious, such as a disgruntled employee, an insider who is paid to steal or sabotage assets, or an internal account compromise attack by an outsider. An insider threat can also be unintended, caused by human error.

Mitigation: Performing a risk assessment to identify and address vulnerabilities such as over-privileged accounts, insiders with access to resources they don't need to do their jobs, and orphaned accounts is essential to reducing the attack surface for insider threats. Knowing and monitoring OT attack vectors, which are primarily the network and direct access to devices via serial ports, can also defeat these threats. Network activity anomaly detection and routine device integrity checks can identify malicious activity before it's too late. Finally, unifying IT and OT security, because both environments are often interconnected, can help protect against attacks that originate on one network and attempt to move laterally to the other.

Despite the cultural divide between IT and OT, both environments share a common set of threats and vulnerabilities. And while the consequences of an OT security breach are decidedly more physical in nature, many of the lessons learned and best practices from IT can help prevent them. 

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Barak Perelman is CEO of Indegy, an industrial security firm that helps critical infrastructure companies operate efficiently and reliably by protecting against cyberattacks. He is a graduate of Talpiot, the elite Israel Defense Forces (IDF) academy where he led several ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0234
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
CVE-2018-7838
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
CVE-2019-6822
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
CVE-2019-6823
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.
CVE-2019-6824
PUBLISHED: 2019-07-15
A CWE-119: Buffer Errors vulnerability exists in ProClima (all versions prior to version 8.0.0) which allows an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.